“In-line with” ≠ “in line with”
. . . and even if they do mean the same thing, they both mean nothing insofar as they refer to the privacy policy, which is surely a paragon of clear concise writing.

And the word “solely” comes before the word “use”, which implies that CIQ is their exclusive software data of choice. It does not mean that CIQ software data is used solely for the purpose of improving wireless network and service performance and nothing else. And, yeah, who the hell knows the methods used for said improvement?

The statement isn’t even a denial. Not saying anything would have been less deceptive.

because this is chump bait. Sprint is making a play here. they need investor support, spectrum and money. I’m not saying Sprint should be let off here. But all these carriers use a form of Carrier IQ. How else do they know if you’re tethering or not?

Seems like Sprint is trying to be open, where the other carriers are trying to say as little as possible and not get their foot stuck in their mouth.

Roger’s and Verizon say they don’t use Carrier IQ, but they make no other mention in regards to their own data gathering solutions.

The thing that sucks is that the consumer finds out about these things after the fact (ignore the fact that the customer signs privacy agreements agreeing to let Sprint collect “data”), and lends to the idea that something more sinister is going on.

“Completeley Different” isn’t exactly a true statement. Also, it’s still ambiguous as to whether or not it’s on the CDMA iPhone 4 (which is an APPLE INC. phone) and Verizon just doesn’t use it (ignorance is bliss right?). Or if they’re just lying through their teeth.
It could be said that the CDMA iPhone 4 on Verizon wireless and Sprint use exactly the same hardware and possibly even almost exactly identical software. I’m dubious that CIQ doesn’t exist on Verizon phones at all. I’m guessing it’s just that Verizon doesn’t use the technology, though i’d be happy to be proven wrong.

Yes, seems like hair-splitting. But the iPhone does NOT have a Verizon logo on it; it is NOT a Verizon phone.

I’m amazed at this whole focus, though: I kinda think that EVERY carrier employs some sort of quality-monitoring/reporting software on their smartphone handsets. The issue shouldn’t just be with CIQ but rather, is there software which COULD, or actually HAS, violated user privacy laws, promises and social expectations?

After the announcement that Apple don’t support Carrier IQ anymore – this is where Apple turn around and plow all that money into making their own carrier. This is where they say that they will never perform surveillance upon their users. This is where they could completely clean up.

Apple, MS and Nokia are special cases, because they have more control over the software than makers of Android phones. It looks like Windows Phone and Symbian are totally in the clear, and that Apple did not do anything nefarious with it (i.e. AT&T’s blanket denial does apply to the iPhone)

As an opt-in that you had to turn on to enable with a specific message explaining the very limited set of Carrier IQ features that were being used. Not running in the background from the moment of purchase without ever giving any hint to the user that it existed.

How ridiculous are all of you concerned to such a degree about Carrier IQ? For the love of god, you’re using their network. How do I put emphasis on this? YOU’RE USING THEIR NETWORK. Your phone calls and text messages and photos don’t reach their end destination via magic. It’s routed over their towers. Your phone calls aren’t encrypted. Your SMS aren’t encrypted. Your photos aren’t encrypted. As they pass through their towers, they have every single bit of information, less the diagnostic information that Carrier IQ is providing them, about what you’re doing. They have the content, the time, the recipient, their replies. That information is there, and they have access to it already.

The point of Carrier IQ is not selling your data, but network diagnostics. You’re misinformed, but that’s fine, there’s so much misinformation that gets floated around when mass outrage breaks out for stuff like this.

My point was not that being concerned about your privacy is wrong, it was that only being concerned about Carrier HQ is insane. You should not expect your communications via cellular network to be private.

CarrierIQ logs information that does not use the carrier networks, it logs info that goes through Wifi, and actions done offline and information that is encrypted like SSL passwords. It is logging stuff that you are doing on *your* phone not one *their* network.

As far as the carriers are concerned, until you finish your contract, the Hardware still belongs to them, even if you use it on your own, or a competitors network.
Therefore, they feel that they are entitled to know exactly what you are doing with their device.

A Device-Server SSL connection also reduces how much they can compress the data in their network.

I’m not trying to be condescending. People have their areas of expertise, this Carrier IQ thing intersects with part of mine. All I’m trying to do is counteract what I feel is misinformation.

The main video going around being cited about keystrokes being logged is by Eckhart. His video is of an HTC phone and an insecure log file. This issue actually lies on the shoulders of HTC, who produced a sloppy implementation. That file is being populated by the operating system, not by Carrier IQ. It’s a log of all the API calls being made in the OS, the most glaringly horrible of which Carrier IQ is not concerned with. All the outrage directed at CIQ should be at HTC for writing these debug logs in the first place, but also for doing so insecurely.

Other independent analysis of the CIQ software has since shown that the majority of sensitive information on your phone is not being relayed. One thing that is correct is that it’s logging URLs and I completely agree with people having a problem with that. However, user names and passwords and the like are not being sent. The actual content of HTTP or HTTPS (SSL) connections is not being sent either.

So really _most_ of the information being relayed by Carrier IQ is diagnostic and related to network quality, which can be used for improving cellular reception and diagnosing dropped calls.

If I make a secure http connection—even OVER THEIR NETWORK (as you say)—I shouldn’t have to worry about whether the data is being logged clandestinely in plaintext on my phone and forwarded at a later point to a third party.

*Reasonable expectation of privacy is defined in Katz v. United States to apply under the conditions “first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as “reasonable.”

On the other hand, the law is not settled on the privacy of radio communications. (Citation missing, too hard to find from my phone’s browser.) And in fact, many would argue that we have an inherent right to sense and process (including decode or decrypt) any radio frequency energy that passes through our property or personal space. Of course, that’s somewhat tangental for what that means for a radio telephony carrier.

I heard a story on NPR a few weeks ago talking about the voicemail hacking scandal. They found that hacking could easily be done by paying a small fee to a company which will change your caller ID for you. Then you hit the voicemail star-code. Because you now have the caller ID of the target’s cell phone, the voicemail system thinks you’re the target. NPR found that AT&T and Sprint give you the option of not requiring a PIN when you call voicemail from your own phone! I wasn’t clear if that was opt-in or opt-out, but what was that statement from Bruce Schneier that user security should neither be opt-in nor opt-out?. Verizon and T-Mobile require a PIN regardless (i.e. security not optional). This is what made voicemail hacking so easy.
So I wasn’t at all surprised to see Sprint’s and AT&T’s response.(Source: http://www.npr.org/2011/07/19/138519976/how-to-protect-your-voicemail)

Thanks; I always wondered how it had been done so easily by ordinary PIs. Makes me wonder also how seriously we REALLY care about privacy when such an obvious loophole has gone unclosed for years; people seem more interested in the scandal of CIQ.

And, of course, in the deeply unethical behavior of News Corp employees. Still, no sensible responses?

I’ve looked at the video. I’ve done a lot of phone programming, including on Android. There is no question that the CIQ app can see everything the user does. I think it’s evil to put a piece of SW like this on someone’s phone, and not give them control over it, or the ability to opt out and remove it.

That said, I haven’t seen any evidence that the raw data is being either logged, or sent to CarrierIQ, the carriers, or third parties. Until we know what actually gets sent, I’m going to hold off on calling for heads to roll. This may be another hacked waterpump story. There is a legitimate desire by the carriers to know under what circumstances the users are having problems, and a lot of that can be done by an app like this without compromising privacy.

You know I’m all about ganging up on massive privacy violations. But I’m kind of in pgt’s boat here. I’ve seen the device logs, but I’d like to see the network pcaps to see what is actually transmitted. The reaction is similar to the caching of location data on the iPhone that was discovered some months ago. If the data is gathered on a device I have in my possession but never sent from it (at least the personally identifying stuff like passwords, bank data, etc…)I’m still annoyed, but not as pissed as if it was sucking my data down the network with a big old straw.

I’m not saying it is or isn’t happening. But I’d really like to see some evidence if it is.

OK, I’m clearly crazy. Because I actually find the Sprint statement to be more useful. The Verizon statement gets points for being simple and blunt about CIQ, but it doesn’t say whether or not they run any other software that does the same thing. The Rogers statement is a clumsier way to say the same thing as the Verizon one. The AT&T one refers you to I can’t even count how many pages of legalese that, so far as I can tell, says, “We do whatever we want. Suck it up and deal.” Only the Sprint statement acknowledges that they, like everybody else, monitor handset and network performance, that they use CIQ to do this, and they’re nicely specific about what info CIQ does and doesn’t send them.

Of course, none of the four are saying this under oath, and therefore you’d have to be a total idiot to believe any of them in today’s caveat emptor ethics-free business environment. But at least Sprint addresses the subject in detail.